New Linux worm targets routers, cameras, “Internet of things” devices

Too many Internet-connected devices run code that's woefully out of date.

Researchers have discovered a Linux worm capable of infecting a wide range of home routers, set-top boxes, security cameras, and other consumer devices that are increasingly equipped with an Internet connection.

Linux.Darlloz, as the worm has been dubbed, is now classified as a low-level threat, partly because its current version targets only devices that run on CPUs made by Intel, Symantec researcher Kaoru Hayashi wrote in a blog post published Wednesday. But with a minor modification, the malware could begin using variants that incorporate already available executable and linkable format (ELF) files that infect a much wider range of "Internet-of-things" devices, including those that run chips made by ARM and those that use the PPC, MIPS, and MIPSEL architectures.

"Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability," Hayashi explained. "If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures."

The researcher went on to say the attacker behind the Intel version is also hosting ELF files that exploit the other chip architectures.

The “e_machine” value in ELF header indicates that the worm is for ARM architecture.

Out of date

While not posing much of a real-world threat now, Darlloz demonstrates a major shortcoming with most Internet-of-things devices available today—they typically run Linux or other types of open source code that are woefully out of date. Making matters worse, many Internet-connected consumer devices can't be updated because their lightweight hardware can't handle the requirements of newer code versions. Hijacking one of these devices thus becomes much easier than exploiting, say, an up-to-date version of Windows, OS X, or Linux.

Darlloz exploits a vulnerability in the PHP scripting language that was patched 18 months ago. Devices that use older versions of PHP to provide a Web-based interface to make configuration changes may be vulnerable to the attack. With minor modifications, the worm could potentially be reprogrammed to exploit dozens of patched vulnerabilities that still haven't made their way into most consumer devices.

Readers who want to tighten the security of their routers and other devices should consider doing research ahead of purchases and buying only gear that can be updated easily. For existing devices, update to the latest available version, change default passwords, and block incoming POST requests and other types of HTTP calls if at all possible.

The worst part is almost nobody knows these appliances run Linux and are even vulnerable to such things.

Pretty smart set of targets. Ultimately how these appliances are built, updated, maintained and secured will have to change. One thing that is crystal clear in OS security is it is not a matter of if but of when a particular OS will be found vulnerable. Leaving devices with no security upgrade path will make them prime targets moving forward.

The worst part is almost nobody knows these appliances run Linux and are even vulnerable to such things.

Pretty smart set of targets. Ultimately how these appliances are built, updated, maintained and secured will have to change. One thing that is crystal clear in OS security is it is not a matter of if but of when a particular OS will be found vulnerable. Leaving devices with no security upgrade path will make them prime targets moving forward.

I wish this article had made it a bit more clear that this is not a Linux specific security vulnerability. That is to say, the fundamental vulnerability comes not from Linux, but from software being out of date.

Out of date Windows is vulnerable, out of date OS X is vulnerable... not necessarily to this particular worm, but to exploits in general. That is what "out of date" means.

How about removing the word Linux from the title, and saying "New worm targets out-of-date routers, cameras, “Internet of things” devices". I see that's what the subtitle says, but it's the title that gets re-posted and re-blogged all over the interblags.

That's the reason routers should only accept admin calls inside their home network. A simple firewall setting should fix that.

Given the exploit, I'm not sure that would help. If your router is exploited, it would be comparitively trivial to bypass such protections.

It all comes back to our (consumer, at least) routers and modems being essentially out-of-date PCs with fairly laughable security precautions in place.

The day is apparently here when we need to install AV on our PCs, tablets, phones, and network equipment. Or, I guess, AV makers could come up with a mechanism to run AV scans on network devices from a PC.

I wish this article had made it a bit more clear that this is not a Linux specific security vulnerability. That is to say, the fundamental vulnerability comes not from Linux, but from software being out of date.

Out of date Windows is vulnerable, out of date OS X is vulnerable... not necessarily to this particular worm, but to exploits in general. That is what "out of date" means.

How about removing the word Linux from the title, and saying "New worm targets out-of-date routers, cameras, “Internet of things” devices". I see that's what the subtitle says, but it's the title that gets re-posted and re-blogged all over the interblags.

sure. however the name of the worm is Linux.Darlloz. so to say a new Linux worm targets routers is correct.

I bought one of the first generations of Netgear WNDR3700 routers, a UI of which is pictured in the article. There was 1 update, or possibly 2, and have not had any updates released for it for 1.5 years, at least.

I doubt there are no improvements to be made, but Netgear dropped support of this device.

I'll load up either DD-WRT or OpenWRT on, since the device is supported and has some good specs (fast CPU, lots of RAM and flash).

Is it not possible that some person/company/consortium could create some standardized, extremely light-weight, regularly, and easily updated distribution that is guranteed to not exceed a certain baseline of system requirements until a specificed date?

As an example with made-up numbers, RouterLinux 1.0 is released today. It requires a 500MHz ARM processor with 64MB memory. It is promised that it will have the optimum performance under this configuration for the lifetime of RL 1.0. It gets only security updates that are verified not to cause regressions, no feature updates, and it gets these pushed automatically. It will get security updates for 7 years, by which point it will likely be quite outdated specs wise, and should be replaced.

Of course supporting the development of and adopting dd-wrt is the stock system is also an option...

> Making matters worse, many Internet-connected consumer devices can't be updated because their lightweight hardware can't handle the requirements of newer code versions.

This is simply not correct, and perpetuates a stereotype which is false.

There is no reason at all that most devices could not run a properly minimized version of a current Linux. Yes, it's a large OS, but most of that is not required for these devices. Any vaguely competent minimization effort should easily cut it down to something which fits in an ARM or MIPS SoC found in these devices.

Secondly, patching security bugs doesn't necessarily require a whole new OS anyway. Most of them will be found in the middleware, typically in the web/app server. Even if they are in Linux proper (kernel or user space code), it should simply require a patch to the current OS, not upgrading the whole of Linux,

But... the primary reason these devices aren't kept up to date is because they are considered largely point products rather than platforms.

What we need to do is to encourage vendors not to produce firmware for a specific product, but to produce a series of platforms running the same OS code base (note: source code base; the firmware images are likely to be all different.) That way they spread update costs across their range, rather than on a product for which they're getting no on-going revenue.

As customers, we should be telling the network device manufacturers:

1. We _do_ care about the quality of their firmware, and will pay an individually small purchase-time premium to a vendor who does the right thing and commits to updates which address serious bugs and security vulnerabilities.2. Alternatively, we would pay a small fee (per release or yearly) to support the on-going development of updates which include extra features and security fixes, in return for agreements to implement those in a timely fashion. Note: I would have a SERIOUS problem with any vendor which charged for security updates.3. Manufacturers should consider trade-in voucher programs for orphaned hardware which simply cannot be upgraded anymore. One creative way of doing this might be to exchange the orphaned hardware for, say, a year of software updates.4. Does this mean vendors might end up with a base-release (free, security updates only) and a feature-release (paid, security and features)? I'd be comfortable with that. But I caution against following the Cisco path of having ABSURD numbers of releases and feature sets. Even for Cisco, that's a nightmare.5. We should insist that telco provided equipment is held to a MUCH higher standard of security, because we are paying the telco an ongoing revenue stream.

Frankly, right now, I admire the companies who DO provide security updates for free. These things are consumer products, with razor thin margins.

Because it's not really the engineering costs anyway, it's the QA costs. With an access point or ADSL router, a bug is bad, but probably not disasterous. But imagine a big on a SMB RAID array which causes data corruption: that would be a crisis for any company.

I also have an old Netgear router with a similar interface as above. I very recently replaced it with an old PC running pfSense. All DHCP, DNS and routing features are handled by the pfSense box. The Netgear is now only serving as a wired switch and wireless access point.

Cool story bro; relevance? The Netgear still sucks even as an AP. I used to have to reboot it every 2 days when it was the router. Now its every week. If my device doesn't have the horsepower and/or reliability to serve as an AP, I don't think it would be very useful in a DDoS attack.

The Netgear did have DNS resolution capabilities (and maybe even DNS caching) so redirecting traffic to malicious sites would probably be an option that wouldn't tax the local hardware.

Is it not possible that some person/company/consortium could create some standardized, extremely light-weight, regularly, and easily updated distribution that is guranteed to not exceed a certain baseline of system requirements until a specificed date?

As an example with made-up numbers, RouterLinux 1.0 is released today. It requires a 500MHz ARM processor with 64MB memory. It is promised that it will have the optimum performance under this configuration for the lifetime of RL 1.0. It gets only security updates that are verified not to cause regressions, no feature updates, and it gets these pushed automatically. It will get security updates for 7 years, by which point it will likely be quite outdated specs wise, and should be replaced.

Of course supporting the development of and adopting dd-wrt is the stock system is also an option...

The problem is the demand and requirements of different networks. The OS isn't what drives the hardware needs, the amount of traffic that has to go over the network does, so hardware requirements don't really make sense. Features also differ from user to user, saying you need the hardware on all routers to provide deep packet inspection doesn't make a whole lot of sense. DD-WRT makes sense in this regard, the hardware is whatever the device manufacturer felt suitable to that device, which usually is suitable. Then they make different versions to support different features.

Features also need to be pushed from time to time as a kind of security. What if a vastly improved encryption method comes out? What about protocol support? I can see how it'd be nice to have a stable version, but ensuring security updates don't cause regression is really hard to test as well. There will be specific device issues that cause problems, I've never seen a DD-WRT update that caused widespread problems (not to say they don't exist, but I haven't seen one or heard of one besides a few device-specific issues).

That's the reason routers should only accept admin calls inside their home network. A simple firewall setting should fix that.

The problem with that is most devises have standard username and password and once we have access to those it's simple to overright. I think the only trick is to upgrade itself on regular basis and forcing the user to update password before use. This is not a silver bullet but at least minimise the risk.

How many of those appliances have x86 processors? Genuine question - I know some do, but don't most use ARM?

... or MIPS, or....

DD-WRT runs on the embedded platforms that have been used to make routers over the last decade. Until you get into really low end devices using microcontrollers like an AVR or PIC DD-WRT already has support for the CPU architectures involved (drivers for the specific hardware are something else).

In the case where no web services are listening on external ports then how would the exploit work, or am I right in thinking that it wouldn't?

My ancient DG834G and I would like to know.

It probably wouldn't work. Probably. There are theoretical exploits that may work... for example flooding a router with specially malformed traffic on a given port in the blind because attacker would not know there'd be a device there. Yes the router isn't responding on that port, but it must receive and analyze that traffic to determine whether or not it should block it. The specially malformed traffic could cause a buffer overflow in firmware which could in turn be exploited to overwrite machine code in router's RAM, which could in turn be commanded to download and install further exploits which would then be permanent. That's how many remote exploits work, albeit against listening services on full OSs.

This would be of particular effectiveness if sent to a port on which application layer proxies typically sit on... like port 80. Prioritizing the discarding of traffic sent to a port before the proxy parses said traffic would mitigate that attack, but who knows if the firmware devs were that smart, right?

I wish this article had made it a bit more clear that this is not a Linux specific security vulnerability. That is to say, the fundamental vulnerability comes not from Linux, but from software being out of date.

Out of date Windows is vulnerable, out of date OS X is vulnerable... not necessarily to this particular worm, but to exploits in general. That is what "out of date" means.

How about removing the word Linux from the title, and saying "New worm targets out-of-date routers, cameras, “Internet of things” devices". I see that's what the subtitle says, but it's the title that gets re-posted and re-blogged all over the interblags.

Seeing as Linux proponents love to imply that Linux is perfect security wise I don't see why Linux shouldn't be singled out every once in a while. If anything to dispel the notion of invulnerability.

> Making matters worse, many Internet-connected consumer devices can't be updated because their lightweight hardware can't handle the requirements of newer code versions.

This is simply not correct, and perpetuates a stereotype which is false.

I disagree with this. It's like saying that any 486 computer that ran Linux 1.0 should be updatable to kernel 3.12.1. The new kernel won't even boot on a 486 unless specifically compiled to do so and the size of a modern disto is larger than the hard disks available to the time.

IRL I know of a device considered for an application in a secure area, it turns out that there was a php vulnerability. But the patch was not available for that php version that fit in the firmware and there was not sufficient space in the appliance flash for the newer php. That is, without re-writing the php themselves, the firmware could not be updated to fix the vulnerability.

And I suspect most devices running Linuix use an older smaller kernel and busybox to keep the size to a minimum. There are no patches made for these older platforms.

Readers who want to tighten the security of their routers and other devices should consider doing research ahead of purchases and buying only gear that can be updated easily

This is really something that is impossible because

1) just because it can be updated easily, doesn't mean it will be. All those android 2.x handsets could be "updated easily" but they won't be. Devices that are just fine for their intended task now need to be put out to pasture because there is no way to make them safe.

2) mfgrs often promise updates on a timely and regular basis, but we all know this is never the true case. You can expect no new device firmware upgrades a few years after the device hit the market. So that turns every single friggin device into a throw away, gotta upgrade every few years type of item.

3) even things like dd-wrt are for advanced users, and often times it comes at a cost. I was planning to do a dd-wrt flash on some commercial netgear access points I was installing, until I found out that you lose 5ghz spectrum and only get 2.4 when you do, so I refrained.

Does anyone know the details of how it infects the router? Because I would expect the admin interface to be visible from the local network only, especially for a home network configuration, and that rules out all direct remote attacks. In other words, do you need to be dumb enough to run the worm on your PC/laptop/phone first, and then it attacks your router??

How many of those appliances have x86 processors? Genuine question - I know some do, but don't most use ARM?

And even then, my experience with these (routers anyway) is that you can't even access the web/HTTP interface from across the net, it has to be done from the LAN (unless explicitly enabled). Even assuming we throw in ARM hardware, it doesn't seem like a huge set of targets.

Is my experience with router admin pages only available through the LAN not the norm?

I bought one of the first generations of Netgear WNDR3700 routers, a UI of which is pictured in the article. There was 1 update, or possibly 2, and have not had any updates released for it for 1.5 years, at least.

I doubt there are no improvements to be made, but Netgear dropped support of this device.

I'll load up either DD-WRT or OpenWRT on, since the device is supported and has some good specs (fast CPU, lots of RAM and flash).

I don't think there's much, if any, incentive for manufacturers to keep consumer grade router or modem firmware updated and patched. It's unfortunate, but I'd speculate that the average person in the US gives no thought to what a router is or does. Most probably also don't know or care that they could purchase their own and are perfectly content with paying the extra $8 or so per month for whatever their ISP provides them with. Out of sight, out of mind.

> Making matters worse, many Internet-connected consumer devices can't be updated because their lightweight hardware can't handle the requirements of newer code versions.

This is simply not correct, and perpetuates a stereotype which is false.

I disagree with this. It's like saying that any 486 computer that ran Linux 1.0 should be updatable to kernel 3.12.1. The new kernel won't even boot on a 486 unless specifically compiled to do so and the size of a modern disto is larger than the hard disks available to the time.

So your point is that you disagree that the default distribution won't run on a 486 without minimizing the build and ensuring that it's configured to support the 486?

Yet minimizing the build and configuring it to support the CPU ISA is exactly what the device manufacturers do every single time.

Yes, _flash_ (not hard disk space, as you strangely introduce) is usually the largest determinant. However, it is surprising how lazy some of these guys are at trimming out unnecessary code. Again, my argument is that by spreading the engineering and QA effort across a source-compatible platform, the vendor gets a larger ROI.

I bought one of the first generations of Netgear WNDR3700 routers, a UI of which is pictured in the article. There was 1 update, or possibly 2, and have not had any updates released for it for 1.5 years, at least.

I doubt there are no improvements to be made, but Netgear dropped support of this device.

I'll load up either DD-WRT or OpenWRT on, since the device is supported and has some good specs (fast CPU, lots of RAM and flash).

I don't think there's much, if any, incentive for manufacturers to keep consumer grade router or modem firmware updated and patched. It's unfortunate, but I'd speculate that the average person in the US gives no thought to what a router is or does. Most probably also don't know or care that they could purchase their own and are perfectly content with paying the extra $8 or so per month for whatever their ISP provides them with. Out of sight, out of mind.

Let's not forget that the vast majority of high speed ISPs (at least in the US) now give you a router, or a modem/router combo with your service for free. For example you have to use Verizon Fios router or DSL router, so you are stuck with whatever they decide to do. You don't pay a monthly fee, but you have no way to not use it. Even if you use your own router and setup up the fios router to bridge mode, you still have to have their router there in your network chain.

In the case where no web services are listening on external ports then how would the exploit work, or am I right in thinking that it wouldn't?

My ancient DG834G and I would like to know.

It probably wouldn't work. Probably. There are theoretical exploits that may work... for example flooding a router with specially malformed traffic on a given port in the blind because attacker would not know there'd be a device there. Yes the router isn't responding on that port, but it must receive and analyze that traffic to determine whether or not it should block it. The specially malformed traffic could cause a buffer overflow in firmware which could in turn be exploited to overwrite machine code in router's RAM, which could in turn be commanded to download and install further exploits which would then be permanent. That's how many remote exploits work, albeit against listening services on full OSs.

This would be of particular effectiveness if sent to a port on which application layer proxies typically sit on... like port 80. Prioritizing the discarding of traffic sent to a port before the proxy parses said traffic would mitigate that attack, but who knows if the firmware devs were that smart, right?

To protect from infection by the worm, Symantec recommends users take the following steps:

1. Verify all devices connected to the network 2. Update their software to the latest version 3. Update their security software when it is made available on their devices 4. Make device passwords stronger 5. Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:

I wish this article had made it a bit more clear that this is not a Linux specific security vulnerability. That is to say, the fundamental vulnerability comes not from Linux, but from software being out of date.

Out of date Windows is vulnerable, out of date OS X is vulnerable... not necessarily to this particular worm, but to exploits in general. That is what "out of date" means.

How about removing the word Linux from the title, and saying "New worm targets out-of-date routers, cameras, “Internet of things” devices". I see that's what the subtitle says, but it's the title that gets re-posted and re-blogged all over the interblags.

Seeing as Linux proponents love to imply that Linux is perfect security wise I don't see why Linux shouldn't be singled out every once in a while. If anything to dispel the notion of invulnerability.